Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_vim / f898f7c68dc06def1a5ae02ce82a52a82af37cc4^! / . / src / userfunc.c
commitf898f7c68dc06def1a5ae02ce82a52a82af37cc4[log] [tgz]
authorBram Moolenaar <Bram@vim.org>Sat Jan 16 18:09:52 2021 +0100
committerBram Moolenaar <Bram@vim.org>Sat Jan 16 18:09:52 2021 +0100
tree2b9b89dce0de0c225e98513ece9f2b6d31a63905
parent9ebcf231bdccc1673cc92b20f5190fc577ad29d0 [diff] [blame]
patch 8.2.2364: Vim9: line break in lambda accesses freed memory

Problem:    Vim9: line break in lambda accesses freed memory.
Solution:   Make a copy of the return type. (closes #7664)

diff --git a/src/userfunc.c b/src/userfunc.c
index 7ca8186..bf701b4 100644
--- a/src/userfunc.c
+++ b/src/userfunc.c

@@ -539,7 +539,8 @@
     char_u	*start, *end;
     int		*old_eval_lavars = eval_lavars_used;
     int		eval_lavars = FALSE;
-    char_u	*tofree = NULL;
+    char_u	*tofree1 = NULL;
+    char_u	*tofree2 = NULL;
     int		equal_arrow = **arg == '(';
     int		white_error = FALSE;
 
@@ -582,6 +583,13 @@
     }
     *arg = s;
 
+    // Skipping over linebreaks may make "ret_type" invalid, make a copy.
+    if (ret_type != NULL)
+    {
+	ret_type = vim_strsave(ret_type);
+	tofree2 = ret_type;
+    }
+
     // Set up a flag for checking local variables and arguments.
     if (evaluate)
 	eval_lavars_used = &eval_lavars;
@@ -605,7 +613,7 @@
     if (evalarg != NULL)
     {
 	// avoid that the expression gets freed when another line break follows
-	tofree = evalarg->eval_tofree;
+	tofree1 = evalarg->eval_tofree;
 	evalarg->eval_tofree = NULL;
     }
 
@@ -700,9 +708,10 @@
 
     eval_lavars_used = old_eval_lavars;
     if (evalarg != NULL && evalarg->eval_tofree == NULL)
-	evalarg->eval_tofree = tofree;
+	evalarg->eval_tofree = tofree1;
     else
-	vim_free(tofree);
+	vim_free(tofree1);
+    vim_free(tofree2);
     if (types_optional)
 	ga_clear_strings(&argtypes);
     return OK;
@@ -715,9 +724,10 @@
     vim_free(fp);
     vim_free(pt);
     if (evalarg != NULL && evalarg->eval_tofree == NULL)
-	evalarg->eval_tofree = tofree;
+	evalarg->eval_tofree = tofree1;
     else
-	vim_free(tofree);
+	vim_free(tofree1);
+    vim_free(tofree2);
     eval_lavars_used = old_eval_lavars;
     return FAIL;
 }